Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Not able to connect to kube from cloud shell #516

Open
mbifeld opened this issue Jan 24, 2025 · 2 comments
Open

[BUG] Not able to connect to kube from cloud shell #516

mbifeld opened this issue Jan 24, 2025 · 2 comments
Assignees
@mbifeld
Labels
bug Something isn't working

Comments

@mbifeld
Copy link
Member

mbifeld commented Jan 24, 2025

To Reproduce

Run any kubectl command that requires login.

Ex:

kubectl get pods

Observed Behavior

$kubectl get pods -n external

Error: failed to get token: expected an empty error but received: AzureCLICredential: WARNING: A Cloud Shell credential problem occurred. When you report the issue with the error below, please mention the hostname 'SandboxHost-xxxxxxxxxxxxxxx'
ERROR: Audience 6dae42f8-4368-4678-94ff-3960e28e3630/.default is not a supported MSI token audience.
Interactive authentication is needed. Please run:
az login -- scope 6dae42f8-4368-4678-94ff-3960e28e3630/.default

E0124 09:22:49.253018 1514 memcache.go: 265] "Unhandled Error" err="couldn't get current server API group list: Get \"https://[domain_name]:443/api?timeout=32s\": getting credentials: exec: executable kubelogin failed with exit code 1"
Error: failed to get token: expected an empty error but received: AzureCLICredential: WARNING: A Cloud Shell credential problem occurred. When you report the issue with the error below, please mention the hostname 'SandboxHost-xxxxxxxxxxxxxxx'
ERROR: Audience 6dae42f8-4368-4678-94ff-3960e28e3630/.default is not a supported MSI token audience.
Interactive authentication is needed. Please run:
az login -- scope 6dae42f8-4368-4678-94ff-3960e28e3630/.default

Expected behavior

kubectl commands to function normally

Is this specific to Cloud Shell?

Yes

Interface information

https://portal.azure.com/#cloudshell/

WORKAROUND

Call the Cloud Shell token service to pass in the required token to kubectl commands via the --token parameter. Example:

kubectl [command_name] --token $(curl http://localhost:50342/oauth2/token --data "resource=6dae42f8-4368-4678-94ff-3960e28e3630" -H Metadata:true -s | jq -r '.access_token')
@mbifeld mbifeld added bug Something isn't working Triage-needed Triage needed by Cloud Shell team and removed Triage-needed Triage needed by Cloud Shell team labels Jan 24, 2025
@mbifeld mbifeld self-assigned this Jan 24, 2025
@mbifeld
Copy link
Member Author

mbifeld commented Jan 24, 2025
edited
Loading

Workaround posted in description above. Please comment if this is not working for you.

Root cause of bug: AzureAD/microsoft-authentication-library-for-python#784

@btam
Copy link

btam commented Jan 29, 2025

In certain situations, this fixed the issue for me:

kubelogin convert-kubeconfig -l msi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mbifeld mbifeld

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@btam @mbifeld